HIGH H1: Crypto Policy P1
Overview
This remediation configures the system-wide cryptographic policy to disable SHA1, improving the security posture of RHCOS nodes by enforcing stronger cryptographic standards.
Settings
| Setting | Value | Description |
|---|---|---|
crypto-policy |
DEFAULT:NO-SHA1 |
System-wide crypto policy without SHA1 |
Implementation
The remediation applies a MachineConfig that sets the crypto policy via a systemd unit:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-crypto-policy-high
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
systemd:
units:
- name: configure-crypto-policy.service
enabled: true
contents: |
[Unit]
Description=Configure System Crypto Policy
Before=sshd.service
After=systemd-machine-id-commit.service
ConditionFirstBoot=no
[Service]
Type=oneshot
ExecStart=/usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Compliance Checks Remediated
This group addresses the following compliance checks:
| Check | Profile | Description | Docs |
|---|---|---|---|
rhcos4-e8-worker-configure-crypto-policy |
E8 | Configure system crypto policy (worker) | 📖 |
rhcos4-e8-master-configure-crypto-policy |
E8 | Configure system crypto policy (master) | 📖 |
Source Remediation Files
- high/rhcos4-e8-worker-configure-crypto-policy.yaml
- high/rhcos4-e8-master-configure-crypto-policy.yaml
Verification
After applying the MachineConfig, verify the crypto policy on a node:
oc debug node/<node-name> -- chroot /host update-crypto-policies --show
# Expected output: DEFAULT:NO-SHA1
Related Links
- Red Hat Crypto Policies Documentation
- NIST SP 800-131A Rev 2 - Transitioning cryptographic algorithms